Cyber Incident Victim: RailYatri
Date:
Aug 2020
Location:
India
Summary
A major Indian travel booking platform experienced a significant data breach when its Elasticsearch server was left publicly exposed without password protection or encryption, compromising approximately 43GB of sensitive user information. The breach exposed personal details including full names, contact information, payment logs with partial card data, travel itineraries, and location records for an estimated 700,000 users. Following discovery by cybersecurity researchers, the unprotected server was subsequently targeted by a Meow bot attack that deleted over 90% of the database. The incident revealed authentication tokens in URLs and created risks for phishing scams, identity fraud, and physical security threats due to exposed travel patterns. After failed initial notifications to the company, authorities intervened leading to server remediation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 6 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 9, 2020, RailYatri, an Indian government-sanctioned travel platform serving approximately 24 million daily passengers, left an Elasticsearch server publicly exposed without password protection or encryption. Safety Detectives' security team, led by Anurag Sen, identified the vulnerability on August 10, finding 43GB of unprotected data containing sensitive passenger information. The exposed records included full names, ages, genders, physical addresses, email addresses, mobile phone numbers, payment logs with partial credit/debit card details (first and last four digits, cardholder names, expiry dates, and issuing banks), Unified Payment Interface IDs, booking details, travel itineraries with boarding/disembarkation stations, and authentication tokens embedded in URLs. Location data from ticket bookings and GPS journey tracking functionality was also compromised, potentially revealing users' approximate physical locations and travel patterns. Despite Safety Detectives' initial outreach to RailYatri on August 10 regarding the unprotected server, no response was received before a Meow bot attack on August 12 deleted over 90% of the database, reducing it to 1GB by August 13 while new data continued accumulating.
The breach impacted approximately 700,000 individuals, primarily Indian users, with server logs failing to provide precise victim counts though email address analysis indicated this scale. Exposed personally identifiable information created risks of identity fraud, phishing scams using contact details, targeted malware distribution, and potential physical threats through analysis of travel patterns and location data. Safety Detectives escalated the issue to India's CERT-In on August 12 after receiving no response from RailYatri, resulting in server remediation by August 13. Partial card data exposure limited immediate financial fraud potential but left users vulnerable to social engineering attacks leveraging travel histories and personal information. RailYatri, which operated both web and mobile platforms with over 10 million Google Play downloads, had its core booking infrastructure compromised through the unsecured database, though the Meow attack's destructive nature prevented confirmed data exfiltration before deletion. No additional containment measures or organizational responses beyond the server securing were documented in the disclosure.